Fix a segfault that occured in the MIPS DSPr2 fancy upsampling routine when downsampled_width==3. Because the DSPr2 code unrolls the loop for the middle columns (refer to jdsample.c), it has the effect of performing two column iterations, and that only works properly if the number of columns (minus the first and last) is >= 2. For the specific case of downsampled_width==3, this patch skips to the second iteration of the unrolled column loop.
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.4.x@1562 632fc199-4ca6-4c93-a231-07263d6284db
diff --git a/ChangeLog.txt b/ChangeLog.txt
index e545606..c3b3316 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -53,6 +53,10 @@
as much of the image as possible, but those functions will now return -1 to
indicate that the decompression was not entirely successful.
+[10] Fixed a bug in the MIPS DSPr2 4:2:2 fancy upsampling routine that caused a
+buffer overflow (and subsequent segfault) when decompressing a 4:2:2 JPEG image
+in which the right-most MCU was 5 or 6 pixels wide.
+
1.4.0
=====
diff --git a/simd/jsimd_mips_dspr2.S b/simd/jsimd_mips_dspr2.S
index 4572a51..c599096 100644
--- a/simd/jsimd_mips_dspr2.S
+++ b/simd/jsimd_mips_dspr2.S
@@ -916,7 +916,8 @@
srl t1, t1, 4
sb t0, 0(s3)
sb t1, 1(s3)
- addiu s3, 2
+ beq t8, s0, 22f // skip to final iteration if width == 3
+ addiu s3, 2
2:
lh t0, 0(s0) // t0 = A3|A2
lh t2, 0(s1) // t2 = B3|B2
@@ -949,6 +950,7 @@
sb t2, 3(s3)
bne t8, s0, 2b
addiu s3, 4
+22:
beqz s5, 4f
addu t8, s0, s5
3:
